Email Authentication and the Fight Against Phishing

When we collaborated with eBay and PayPal in 2007 to reject emails spoofing their domains, the fight against phishing using a cryptographic approach was in its infancy. Leveraging DomainKeys, an email authentication technology developed at Yahoo!, it was our initial attempt at enforcing domain-level policies to protect popular brands—as well as our users—from the wave of phishing messages flowing into our network.

DomainKeys eventually evolved into DKIM—the result of another collaborative effort among key players in the email industry. DKIM is currently on track to become an Internet standard, and its adoption rate across email senders and receivers worldwide continues to grow.  At Yahoo! Mail, about 55 percent of the email traffic we receive uses DKIM.

Today we are pleased to announce the Yahoo! Mail Anti-Phishing Platform (YMAP), which is focused on further reinforcing the trust and security of the Yahoo! Mail experience using email authentication technologies. It builds on the pilot program we ventured into with eBay/PayPal, but this time around, we’re casting a wider net on the phishing problem.

Here are some of the highlights of the program:

  • Utilizes both DKIM and Sender Policy Framework (SPF) to identify authentic messages;
  • Relies on an agile and scalable platform for publishing domain-based policies;
  • Provides aggregate and message-level authentication reports to participating companies;
  • Accords domain owners control over the message-handling policies to be applied on unauthenticated messages;
  • Enforces domain-based phishing protection across the entire Yahoo! Mail network—that’s over 280 million users worldwide!

As with any endeavor of such scale, we’ve teamed up with email authentication partners—namely, Authentication Metrics, eCert, Return Path, and Truedomain—to gain enough coverage to protect the known targets of phishing attacks. Our partners work with top brands and email senders to audit, monitor and protect the email traffic using their domains. This collaboration enables us to apply policies to protect the authenticated emails using the domains of well-known online services–from popular social networks like Facebook to the lucrative and often-targeted institutions in the banking industry.

While this project is still in its early stages of deployment, we will be rolling it out aggressively during the coming months so that all users of Yahoo! Mail, along with the companies participating in the program, are better protected from the perilous plague of phishing.

Tags: , , , , ,

One Response to “Email Authentication and the Fight Against Phishing”

  1. Ben Golden
    April 6, 2011 at 4:18 pm #

    Sounds like some cool stuff.
    I’ll be excited to hear more about the details of what YMAP will expect from senders interested in making sure they conform to best practices and avoid false positives.